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Abstract. We present a new method for constructing genus 2 curves 
over a finite field F„ with a given number of points on its Jacobian. 
This method has important applications in cryptography, where groups 
of prime order are used as the basis for discrete-log based cryptosystems. 
Our algorithm provides an alternative to the traditional CM method for 
constructing genus 2 curves. For a quartic CM field K with primitive 
CM type, we compute the Igusa class polynomials modulo p for certain 
small primes p and then use the Chinese remainder theorem (CRT) and a 
bound on the denominators to construct the class polynomials. We also 
provide an algorithm for determining endomorphism rings of ordinary 
Jacobians of genus 2 curves over finite fields, generalizing the work of 
Kohel for elliptic curves. 



1. Introduction 

In cryptography, some public key protocols for secure key exchange and 
digital signatures are based on the difficulty of the discrete logarithm prob- 
lem in the underlying group. In that setting, groups such as the group of 
points on an elliptic curve or the group of points on the Jacobian of a genus 
2 hyperelliptic curve over a finite field may be used. The security of the 
system depends on the the largest prime factor of the group order, and thus 
it is desirable to be able to construct curves such that the resulting group 
order is prime. This paper presents an alternative to the CM (Complex 
Multiplication) algorithm for generating a genus 2 curve over a finite field 
with a known number of points on its Jacobian. 

The CM algorithm for genus 2 is analogous to the Atkin-Morain CM 
algorithm for elliptic curves proposed in the context of primality testing 
([AM93]). Whereas the Atkin-Morain algorithm generates the Hilbert class 
polynomial of an imaginary quadratic field K by evaluating the modular 
j-invariants of all elliptic curves with CM by K, the genus 2 algorithm gen- 
erates what we will refer to as the Igusa class polynomials of a quartic CM 
field K by evaluating the modular invariants of all the abelian varieties of 
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dimension 2 with CM by K. Just as the j'-invariant of an elhptic curve can 
be calculated in two ways, either as the value of a modular function on a 
lattice defining the elliptic curve as a complex torus over C or directly from 
the coefficients of the equation defining the elliptic curve, the triple of Igusa 
invariants ([Igu60, Igu62]) of a genus 2 curve can also be calculated in two 
different ways. Using classical invariant theory over a field of characteristic 
zero, Clebsch defined the triple of invariants of a binary scxtic / defining 
a genus 2 curve = f{x). Bolza showed how those invariants could also 
be expressed in terms of theta functions on the period matrix associated to 
the Jacobian variety and its canonical polarization over C. Igusa showed 
how these invariants could be extended to work in arbitrary characteris- 
tic ([Igu67, p. 848], see also [GL04, Section 5.2]), and so the invariants are 
often referred to as Igusa or Clebsch-Bolza-Igusa invariants. 

To recover the equation of a genus 2 curve given its invariants, Mestre 
gave an algorithm which works in most cases, and involves possibly pass- 
ing to an extension of the field of definition of the invariants ([Mes91]). 
The CM algorithm for genus 2 curves takes as input a quartic CM field K 
and outputs the Igusa class polynomials with coefficients in Q and if de- 
sired, a suitable prime p and a genus 2 curve over Fp whose Jacobian has 
CM by K. The CM algorithm has been implemented by Spallek ([Spa94]), 
van Wamelen ([vW99]); Wcng ([Wen03]), Rodriguez-Villegas ([RVOO]), and 
Cohn-Lauter ([CLOl]). This method requires increasingly large amounts of 
precision of accuracy to obtain the theta values necessary to form the class 
polynomials. The running time of the CM algorithm has not yet been ana- 
lyzed due to the fact that no bound on the denominators of the coefficients 
of the Igusa class polynomials was known prior to the work of [GL04]. 

The idea of the algorithm we present here is to calculate the Igusa class 
polynomials of a quartic CM field in a different way than the CM algorithm 
does. Our method generalizes the algorithm for finding the Hilbert class 
polynomial given in [ALV04] to the genus 2 situation. Given a quartic CM 
field K with primitive CM type, for each small prime p in a certain set we 
determine the Igusa class polynomial modulo p by finding all triples of in- 
variants modulo p for which the corresponding genus 2 curve has CM by K. 
The Igusa class polynomial is then found using the Chinese Remainder The- 
orem (or the explicit CRT as in [ALV04]) and a bound on the denominators 
of the coefficients. 

Several difficulties arise in the genus 2 situation which are absent in the 
elliptic curve case. In this paper we resolve the following issues: the field of 
definition of a CM abelian variety, necessary conditions on the small primes 
for the algorithm to succeed, and the computation of the endomorphism 
ring of the Jacobian of a genus 2 curve in the ordinary case. Our algorithm 
for computing endomorphism rings of Jacobians of genus 2 curves over finite 
fields generalizes the work of Kohel [Koh96] for elliptic curves. 
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1.1. Statement of the Theorem. We will refer to a quartic CM field K 
with primitive CM type as a primitive quartic CM field. Given a primi- 
tive quartic CM field K, let ^ be a system of representatives for the set 
of isomorphism classes of principally polarized abelian varieties over C hav- 
ing complex multiplication by Ok- For each abelian variety ^4 G .4 let 
(ji(y4), j2(v4), j3(^)) be the absolute Igusa invariants of A. Then the Igusa 
class polynomials Hi, for i = 1,2, 3, are defined to be 

Hr.= Hix-jiiA)). 

AeA 

It is known ([Shi98]) that roots of these polynomials generate unramified 
abelian extensions of the reflex field oi K. It is also known that Igusa class 
polynomials can be used to generate genus 2 curves with CM by K, and 
thus with a given zeta function over a suitable prime field (c/. Section 3). 
In this paper we prove the following theorem. 

Theorem 1. Given a quartic CM field K with primitive CM type, the fol- 
lowing algorithm finds the Igusa class polynomials of K: 

(1) Produce a collection S of small rational primes p £ S satisfying: 

a. p splits completely in K and splits completely into principal ideals in 
K* , the reflex of K. 

b. Let B he the set of all primes of had reduction for the genus 2 curves 
with CM hy K. Then Sr\B = %. 

c. Wp^sP > c, where c is a constant determined in Theorem 3. 

(2) Form the class polynomials Hi, H2, H3 modulo p for each p E S. Let 
Hi^piX) := Hi{X) mod p. Then 

Hi,p{X)= n iX-UC)), 
ceTp 

where Tp is the collection of ¥ p-isomorphism classes of genus 2 curves over 
¥p whose Jacohian has endomorphism ring isomorphic to Ok- 

(3) Chinese Remainder Step. Form Hi{X) from {Hi,p}p,zs {i = 1,2,3). 

Remark 1. Condition 1(a) is enough to insure thatp solves a relative norm 
equation in K/Kq, tttt = p, tt a Weil numher (cf. Proposition 4 helow). 

Remark 2. By [GL04], the primes in the set B and in the denominators 
of the class polynomials are hounded effectively hy a quantity related to the 
discriminant of K . Furthermore, it follows from [Gor97, Theorems 1 and 2] 
and the discussion in [GL04, Section 4.1] that condition 1(h) is implied hy 
condition 1(a). 

Remark 3. It follows from the Cehotarev density theorem that the density 
of the primes in the set S is inversely proportional to the class numher of K 
in the case that K is Galois cyclic. In the non- Galois case, the density is 
inversely proportional to the degree of the normal closure of the composite 
of K with the Hilbert class field of the reflex of K. 
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Our algorithm in the present form is not efficient, and we make no claims 
about the running time. A complete implementation of our algorithm is now 
available in [FL06] , along with new efficient probabilistic algorithms for com- 
puting endomorphism rings. Our algorithm has the advantage that it does 
not require exponentially large amounts of precision of computation. It was 
recently brought to our attention that the paper [CMKTOO] proposes a simi- 
lar algorithm, but they give no proof of the validity of the approach. Indeed, 
they fail to impose the conditions necessary to make the algorithm correct 
and include many unclear statements. Also, while revising this paper, a 
p-adic approach to generating genus 2 curves was given in [GHKRW]. No 
comparison has yet been made between the different available approaches. 

In Section 3 we show how Theorem 1 can be used to generate genus 
2 curves with a given zeta function. The proof of Theorem 1 is given in 
Section 4. Implementation details for the algorithm are given in Section 5. 
In Section 6 we show how to determine the endomorphism ring of an ordinary 
Jacobian of a genus 2 curve. Section 7 gives an example of the computation 
of a class polynomial modulo a small prime. 

Acknowledgments. The authors thank E. Goren, E. Howe, K. Kedlaya, 
J-P. Serre, P. Stcvenhagen, and T. Yang for helpful discussions. The authors 
also thank D. Freeman and the referee for valuable comments to improve 
the paper. 

2. Notation 

Throughout this paper. C denotes a smooth, projective, absolutely ir- 
reducible curve, and J = J{C) will be its Jacobian variety with identity 
element O. The field K is always assumed to be a primitive quartic CM 
field, K 7^ Q(C5)) with ring of integers Ok- The real quadratic subfield of 
K is denoted by Kq, and a generator for the Galois group Gdl^K/Ko) is 
denoted by a bar, a; i— > w. We will write K* for the reflex of the quartic CM 
field K. For i = 1,2, 3 we let Hi{X) be the Igusa class polynomials of 
and for a prime p e S we let Hi^p := Hi mod p. For a field F, F will denote 
an algebraic closure of F. We say that C has CM by K if the endomorphism 
ring of J{C) is isomorphic to the full ring of integers Ok- 

3. Generating genus 2 curves with a given zeta function 

Our algorithm solves the following problem under certain conditions. 
Problem: Given {n, Ni, N2), find a genus 2 curve C over the prime field 
F„ such that #C(F„) = A^i and #C(F„2) = N2- 

Given (n, A'^i, A^2), it is straightforward to find K, the quartic CM field 
such that the curve C has CM by K, by finding the quartic polynomial 
satisfied by Frobenius. Write Ni = n + 1 — si, and N2 = n'^ + 1 + 2s2 — sf , 
and solve for si and S2- Then K is generated over Q by the polynomial 

- sit^ + S2t^ - nsit + n^. 
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Restrictions: If S2 is prime to n, then the Jacobian is ordinary ([How95, 
p. 2366]). Assume that (s2,n) = 1. We also restrict to primitive CM fields 

K. If ii' is a quartic CM field, then K is not primitive iff K/<Q is Galois and 
biquadratic (Gal(i^/Q) = V4) ([Shi98, p. 64]). In the example in Section 7, 

K is given in the form K = (iya + bVd,), with a,b,d ^ Z and d and (a, 5) 
square free. In this form the condition is easy to check: K is primitive iff 
— b^d / for some integer k ([KW89, p. 135]). Assume further that K 
does not contain a cyclotomic field. 

Solution: Given a triple (n, A'^i, A^2) satisfying the above restrictions, one 
can generate a curve C over F„ with the associated zeta function as follows. 
Compute K and its Igusa class polynomials Hi, H2, using Theorem 1. 
From a triple of roots modulo n oi Hi, H2, H3, construct a genus 2 curve 
over F„ using the combined algorithms of Mestre ([MesQl]) and Cardona- 
Quer ([CQ05]). To match triples of roots, in practice one can test whether 
the curve generated has the correct zeta function by checking the number 
of points on the Jacobian of the curve. A curve C with the correct zeta 
function will have #J(C)(F„) = N = (iVf + N2)/2 - n. If the curve does 
not have the required number of points on the Jacobian, a twist of the curve 
may be used. In the case where 4 group orders are possible for the pair 
{n,K) {cf. Section 5.1), a different triple of invariants may be tried until 
the desired group order is obtained. 

4. Proof of Theorem 1 

Given a primitive quartic CM field K, let .4 be a system of representatives 
of the isomorphism classes of simple principally polarized abelian surfaces 
over C with CM by K. Each clement of A has a field of definition k which 
is a finite extension of Q ([Shi98, Prop. 26, p. 96]). For any prime p & S 
satisfying the conditions of Theorem 1, the set Tp was defined in Step 2 
of Theorem 1 as the collection of Fp-isomorphism classes of genus 2 curves 
over ¥p with an isomorphism of Ok with End(J(C)). We claim that we 
have a bijective correspondence between A and Tp. Moreover, we claim that 
reducing the Igusa invariants gives the Igusa invariants of the reduction. 
Taken together, these can be stated in the form of the following theorem: 

Theorem 2. Let K be a primitive quartic CM field and let p E S be a 
rational prime that satisfies the conditions of Theorem 1. Then 

Hi,p{x)= n i^-Mc)), 

where Hi^p{X) and Tp are defined as in Theorem 1. 

Proof. Let ^ G .4 be a principally polarized abelian surface with CM by K, 
defined over a number field k. Let fcg be its field of moduli (see [Shi98, p. 27] 
for the definition). By class field theory, p splits completely into principal 
ideals in K* if and only if p splits completely in H* , the maximal unramified 
abelian extension of K* ([Cox89, Corollary 5.25]). The field of moduli is 
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contained in H* (see [Shi98, Main Theorem 1, p. 112]), but in general it is 
not true that k = ko. By a theorem of Shimura (see [Shi71, Ex. 1, p. 525], 
see also [Gor97, Proposition 2.1]) if is a primitive quartic CM field, then 
k is contained in ko, so A is defined over ko. 

Proposition 2.1 of [Gor97] also shows that A has good reduction at any 
prime (3 of Ojj*- Let Ap be the reduction of A modulo a prime above 
p. Then because p splits completely in the Galois closure of K, Ap is or- 
dinary ([Gor97, Theorems 1 and 2]) and because p splits completely into 
principal ideals in K*, Ap is defined over Fp. By condition 1(b) of Theo- 
rem 1, is the Jacobian of a genus 2 curve C over Fp ([OU73]). Then C 
is an element of Tp. 

We must show that this correspondence is one-to-one and onto. To show 
that it is one-to-one, we can generalize the argument in [Lan73, Theorem 
13, p. 183]. Let A,B^A, and for p G S* let Ap and Bp be the reductions 
of A and B as above. Assume that Ap and Bp are isomorphic over Fp, and 
let e : Bp ^ Ap he an isomorphism. The varieties A and B both have CM 
by K, hence there exists an isogcny X : A ^ B ([Shi98, Corollary, p. 41]) 
giving rise to a reduced isogeny Ap : Ap — > Bp. Since the endomorphism ring 
of A is preserved under the reduction map, there exists a G End(A) such 
that the reduction ap satisfies ap = e o \p. Let C be the image of the map 
Xxa: AxA^BxA. With a similar argument as in [Lan73, p. 184], 
one can then show that C is the graph of an isomorphism between A and 
B. Similarly, if there is an isomorphism of the principal polarizations on Ap 
and Bp then this isomorphism lifts to an isomorphism of the polarizations 
on A and B. This shows that the correspondence is one-to-one. 

The correspondence is onto because, given a genus 2 curve C over Fp with 
CM by K representing a class of Tp, its Jacobian J(C) is ordinary and so it 
can be lifted, along with its endomorphism ring and its polarization, to its 
"Serre-Tate canonical lift". A, defined over the Witt vectors VF(Fp) = Zp 
([Mes72, Theorem 3.3, p. 172]). Let L be the field generated over Q by all 
the coefficients of the equations defining A. Then A is defined over L and 
since L has finite transcendence degree over Q, we can embed it into C. So 
we can lift J(C) to an abelian variety with CM by K defined over C. 

By assumption 1(b) of Theorem 1, no prime above p G 5 is a prime of 
bad reduction for a genus 2 curve with CM by K, so by [GL04, Cor 5.1.2], 
p E S is coprime to the denominators of the class polynomials Hi(X). We 
claim that reducing the coefficients of Hi modulo p gives the same result as 
taking the polynomial whose roots are the absohitc Igiisa invariants of the 
curves over Fp with Jacobians equal to the reductions modulo a prime above 
p of the abelian varieties A representing the classes of A. Since the absolute 
Igusa invariants are rational functions in the coefficients of the curve, the 
order of computation of the invariants and reduction modulo a prime can 
be reversed as long as the primes in the denominator are avoided and an 
appropriate model for the curve is chosen. □ 
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Theorem 3. Suppose the factorization of the denominators of the Igusa 
class polynomials is known. Let u be the largest absolute value of the coef- 
ficients of the Hi, and let A be the least common multiple of the denomi- 
nators of the coefficients of the Hi {i = 1,2,3). Let S be a set of rational 
primes such that S r\ B = $ and HpesP ^> "inhere c = 2\- v. Then the 
Chinese Remainder Theorem can be used to compute the class polynomials 
Hi{X) € Q[X] from the collection {Hi^p}p^s, ^ = 1)2, 3. 

Proof. By assumption A is prime to all p e S. The polynomials 

Fi{X) := X ■ Hi{X) i = 1,2,3 

have integer coefficients. For each p e S let 

Fi,p := Fi (mod^?) = A • Hi^p (mod^?). 

Apply the Chinese Remainder Theorem to the collection {Fj pjpgg to obtain 
a polynomial which is congruent to Fi G 7j[X] modulo the product npes?*- 
Since c was taken to be twice A times the largest absolute value of the 
coefficients, we have found Fi, and so Hi = A^^ • Fi. □ 

Remark 4. It was proved in [GL04] that the primes dividing the denomi- 
nators are bounded effectively in terms of the field K by a quantity related 
to the discriminant. The power to which each prime in the denominator ap- 
pears has also been bounded in recent work of Goren, and so we can conclude 
that we have a bound on the denominators of the class polynomials. 

Proof of Theorem 1. The proof of Theorem 1 now follows immediately from 
Theorem 2 and Theorem 3. □ 

5. Implementation 

5.1. The possible group orders for each p. Suppose that C is a genus 
2 curve defined over Fp with CM by K. To find all possible group orders 
for J(C)(Fp), let tt G Ok correspond to the Probenius endomorphism of C. 
Since the Probenius satisfies tttT = p, it follows that the relative norm of 
vr is p, i.e. '^x/Koi'^) = ^-^id hence N(7r) = N/^/Q(7r) = p^. So if K is 
fixed, primes p for which there exist genus 2 curves modulo p with CM by 
K are primes for which there are solutions to the relative norm equation: 
^K/Koi''^) — P- The following proposition gives the number of possible group 
orders in each case. It overlaps with [Wen04, Thm 4.1], but our statement, 
assumptions, and proof are all slightly different, and we use the details of 
this proof in our algorithm, so we include it here. Note that, as pointed out 
in [Wen04], it is not known whether two of the four possible group orders 
could coincide in the non-Galois case. 

Proposition 4. Fix a primitive quartic CM field K , and a rational prime 
p unramified in K. Assume that K Q^t^^), so that the only roots of unity 
in K are {±1}. Then 
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(A) There are either 0, 2 or 4 possibilities for the group order #J(C)(Fp) 
of curves C with CM by K. 

(B) Under the additional assumption thatp splits completely into principal 
ideals in K* and splits completely in K , there are always 2 possible group 
orders in the cyclic case and 4 possible group orders in the non- Galois case. 

Proof. We consider all possible decompositions of the prime p in K. 

Case 1: There exists a prime ideal p of Kq above p that does not split in 
K. In this case there is no solution to the relative norm equation. 
Case 2: The rational prime p is inert in Kq/Q, and the prime p of Kq above 
p splits in K with ^i|p and ^2|p- We have *Pi = '^2- In this case there are 
two ideals of norm p^, and If is not principal, then there are no 
solutions to the norm equation. If is principal with generator tt, then 
^2 = (tt), and vrvf = p. The elements vr and vf are Galois conjugates, so by 
Honda- Tate tt and — tt give rise to all possible group orders. Let tti := vr, 
and let n2,. ■ ■ ,tt4 be its conjugates over Q. Then mi = 11^^=1 (I ^ ^j) 
m2 = 11^=1(1 ~ the 2 possible group orders for the Jacobian. 

Case 3: p splits completely in K/Q, with . . . ,^4 lying above p and 
with % = «P2, and % = ^4- Then ^ := ^i^^ , £2 := ^1^4, and ^ and 
£} are the only ideals with relative norm p. 

Subcase (a) If K/Q is Galois, then the Galois group is cyclic, since 
we assumed that K was a primitive CM field ([Shi98, p. 65]). Let o" be a 
generator of Gal(i^/Q). Then w.l.o.g. ^2 = ,^^3 = W> and = ^f. 
Thus = <Pi«p^ = {^I'^fy = O'^, so if is principal, so is Q, and their 
generators, u and a;"' give rise to isogenous curves. Hence if ^ is principal, 
then there are two possible group orders as before, and if it is not principal, 
then the relative norm equation has no solution. 

Subcase (b) If K/Q is not Galois, then the Galois group of its splitting 
field is the dihedral group D4 ([Shi98, p. 65]). In this case *P and are 
not Galois conjugates. So if both *p and £2 are principal, then there are 
4 possible group orders, if only one of them is principal, then there are 2 
possible group orders, and otherwise there are no solutions to the relative 
norm equation. 

Statement (A) follows from the 3 cases considered above. Statement 
(B) concerns Case 3. If K is Galois, then K = K* and the additional 
assumptions imply that *p is principal, and then there are 2 possible group 
orders. If K is not Galois, let L be the Galois closure with dihedral Galois 
group Gal(L/Q) = (r, a : T^,a^,TaTa) such that K is the fixed field of r 
and the CM type is {1,(7}. Then cr^ is complex conjugation. According 
to [Gor97, Theorem 2], a rational prime p that splits completely in L with 
V := pOi decomposes as follows in K and K*: 

pOk = qJiq32W4 = {vv^){V''^v^''^){V''v^''){V'''v^'''), 
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By assumption, *p^, ^Pg) ^^3) ^4 principal. Thus both *p and O. are 
principal since ^ = ^1^3 = ^^i^l)" , and = ^1^4 = VliVlY- Thus 
there are 4 possible group orders when K is not Galois. □ 

5.2. Generating the collection of primes S. In practice to generate 
a collection of primes belonging to S there are several alternatives. One 
approach is to run through small primes checking the splitting behavior in K 
and K* using a computational number theory software package like PARI. 
A second approach is to generate solutions to the relative norm equation 
directly as in [Wen03, Section 8], then check each solution for the splitting 
in K and K* and check for the other solution to the relative norm equation 
in the case that K is not Galois. One advantage to this approach is that it 
gives direct control over the index of Z[7r, vf] in Ok in terms of the coefficients 
Cj of vr, the solution to the relative norm equation (c/. Proposition 5). 

5.3. Computing Igusa class polynomials modulo p. Let p G S. To 

compute the Igusa class polynomials mod p we must find all Fp-isomorphism 
classes of genus 2 curves over ¥p whose Jacobian has CM by K. This can 
be done as follows: 

(1) For each triple of Igusa invariants modulo j3, generate a genus 2 curve 
with those Igusa invariants using an implementation of the Mestre-Cardona- 
Quer algorithm ([Mes91], [CQ05]). 

(2) Let Np := {(ni, mi), (712, 7712), . . . , (n^, m^)} be the set of possible 
group orders (#C(Fp), # J(C)(Fp)) of curves C which have CM by K as 
computed above in Section 5.1. 

(3) Collect all curves C such that (#C(Fp), #J(C)(Fp)) G Np as follows: 
for each triple of invariants and a corresponding curve C, take a random 
point Q on J{C). Multiply Q by mi, . . . , and check if the identity element 
is obtained for some r. If not, then C does not belong to Tp. If a curve passes 
this test, then count the number of points on the curve and its Jacobian 
over Fp to check whether the Jacobian has the right isogeny type. This 
procedure obtains all curves in the desired isogeny class. For each curve in 
the desired isogeny class, the endomorphism ring of the Jacobian contains 
the ring Z[7r,7f] and is contained in the ring Ok- The curve is included in 
the set Tp only if EndFp(J(C)) = Ok- In the next section, we will show how 
to test this property by computing the endomorphism ring EndiFp (J(C)). 

6. Computing endomorphism rings of genus 2 curves 

6.1. The index of Z[7r,7f] in Ok- For a prime p and a Frobenius element 

TT G Ok, the smaller the index of Z[7r,7f] in Ok, the less work it takes to 
compute the endomorphism ring. For example, if the index is 1, then we can 
determine whether C £Tp just from counting points on C and its Jacobian. 
Proposition 5 gives a bound for the index of Z[7r,7f] in Ok- 

Proposition 5. Let K := Q{r]) be a quartic CM field, where tj = i\l a + b^/d 
with a, 6, d G Z and d and (a, 6) square free. Let Ok he its ring of integers. 
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Assume for simplicity that the Frohenius endomorphism of C is of the form 
TT := ci + C2\/d+ (c3 + c^\fd)'q with Ci , . . . , C4 G that — is square free 
and that the real quadratic subfield Kq has class number 1. If d = 2, 3 mod 4, 
then [Ok '■ ^[tt, vr]] divides 802(03 — eld). If d = lmod4, then [Ok '■ "^[t^jT^]] 
divides 16c2{c^ — eld). 

Proof. We have 

(1) Tr + W-2ci = 2c2Vd, 

(2) [2c2C3 - C4(7r + 7f - 2ci)](7r -W) = 4c2(ci - cld)rj, 

(3) (C3 - c^Vd) (tt - 7f) = 2(ci - c|d)r7. 

So Z[2c2\/ci, 4c2(c| — c|d)77] C Z[7r,7f]. Since Kq has class number 1, we have 
a relative integral basis of Ok over Okq ■ We can choose a relative basis of 
the form {!,«;}, and by [SW96], in the case that d = 2, 3 mod 4, k is either 

1. r//2 2. (l + r/)/2 3. (Vd + r?)/2 A. {1 + Vd + ri)/2. 

In each case the index of Z[Vd, r]] in Ok is 2. For d=l mod 4, k is either 

5. (1 + 2r/)/4 6. (-1 + \/d + r/)/4 7. (-6 + \/d + 2?7)/4. 

Here, in each case the index of Z[Vd, 77] in Ok is 4. We have 

Z[7r,7f] C Z[7r,7f, Vd] C ZfVd,?/] C Ok, 

with [Z[7r, 7f, -v/d] : Z[7r,7f]] dividing 2c2 and 77] : Z[7r, vf, dividing 

2{cl-cld). If d = 2, 3 mod 4, then [Ok ■ Z[\/d, t]]] = 2, and hence the index 
[Ok : Z[7r,7f]] divides 8c2(c| -c|ci). If d = lmod4, then [Ok : Z;[\/d,r?]] = 4, 
and hence [Ok '■ ^[tt, vf]] divides 1602(03 — eld). Since the index is a positive 
integer, it is thus also bounded by these quantities. □ 

So if we want to minimize the index [Ok '■ ^KjTT]] then we have to 
minimize C2(c| — eld). When — b^d is not square free the representation of 
the ring of integers can become more complicated ([SW96]), but the term we 
need to minimize is still C2 (c| — c^d) . Using the relative basis of Ok over Okq 
we can also determine which denominators can occur in the coefficients Cj 
of the Probenius endomorphism and generalize our argument to the general 
case. 

6.2. Determining the index of End(J) in Ok- We can summarize the 
necessary conditions to ensure that [Ok '■ End( J)] = 1 as follows: 

Lemma 6. Under the conditions of Section 6.1, to show that the endomor- 
phism ring of a curve is the full ring of integers Ok, it is sufficient to test 
whether: 

(1) \/d is an endomorphism, where 2c2\/d = tt + 7f — 2ci. 
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(2) r] is an endomorphism, where 

(4c2(c| - cld))r] = (2c2C3 - C4{tt + vf - 2ci))(7r - W). 

Here the Cj 's are the coefficients of tt written in the relative basis. 

(3) K is an endomorphism, where k is one of the 7 possible elements 
listed in Section 6.1 in the case that o? — h^d is square free. 

If any one of these conditions fails, we conclude that the endomorphism 
ring of the curve is not the full ring of integers Ok- When — b'^d is not 
square free then the relative integral basis is listed in the table in [SW96, 
p. 186]. This algorithm can also be modified to test whether the endomor- 
phism ring of the curve is some other subring of Ok or to compute the 
endomorphism ring exactly. 

To test whether Vd, rj, and k are endomorphisms, we express them as 
above as polynomials in tt and W with integral denominators determined by 
the Cj. It will be proved in Section 6.3 below that in each case it suffices to 
check whether the numerator acts as zero on the s-torsion, where s is the 
denominator. 

6.3. Action on s-torsion. 

Proposition 7. Assume that k is an algebraically closed field and that 

A, B,C are abelian varieties over k. Let (3 : A ^ B , ^ : A ^ C be two 
isogenics with (5 separable and Ker(/3) C Ker(7). Then there is a homomor- 
phism 5 : B ^ C such that S ■ (3 = 'y. 

Proof. This proof follows the argument of Remark 7.12 in [Mil98, p. 37]. 
Since P is separable, we can form the quotient abelian variety A/KeT{/3). 
From the universal property of A/Kei{(3) we have a regular map ^4/ Ker (3 

B, which is again separable and bijective. Since B is nonsingular, this 
implies that it is an isomorphism. Thus B = A/Kei{(3). After identifying 
B with A/Ker(/3) and using the universal properties of quotients again we 
find that there is a unique regular map S such that 5 ■ (3 = ^. Moreover, 5 is 
automatically a homomorphism because it maps O to O. □ 

Proposition 8. Let k be an algebraically closed, fi,eld and let A be a,n abelian 
variety over k. Let R := End^A. Let s E R be separable and let A[s] = 
{P e A{k) : sP = 0} = Ker(s). Then A[s] is a faithful R/Rs-module. 

Proof. Clearly, A[s\ is an i?/i?s-module. We have to show that A[s\ is a 
faithful i?/ii!s-module; that is, any r G R with r ■ A[s] = belongs to Rs. 
Suppose r is such that r ■ A[s] = 0. Since .s is separable, this implies that 
r = ts for some endomorphism i of ^ by Proposition 7 above applied with 
A = B = C,P = s and 7 = r. This implies that r e Rs, which proves the 
claim. □ 

We will frequently use the following 
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Corollary 9. Let A, k be as in Proposition 8. Let n he a positive integer 
coprime to the characteristic of k. Suppose that a : A ^ A is an endo- 

morphism, with A[n] C Ker{a), i.e. a acts as zero on the n-torsion. Then 
a = P ■ n = n ■ P, for some endomorphism j3, i.e. a is divisible by n in 
R = EndkiA). 

6.4. Computing the index using division polynomials. In [Can94], 
Cantor finds recursive formulae for division polynomials for hyperelliptic 
curves with one point at infinity, Poo- The rth division polynomials he 
defines are {6r{X),er{X)) such that ((5r(^p^), er(^^p^)) represents r • (x, y), 
where {x,y) is a point on the curve thought of as the point {x,y) — Pqo 
on the Jacobian. For a general point on the Jacobian represented as D = 
Pi+ P2- Poo, we see that rD = iS rPi = -rP2. If Pi = {xi,yi) and 
P2 = {x2, 2/2)5 then we can write down a system of equations and an ideal, /,., 
defining the solutions to the system, where Ir is an ideal in ¥p[xi,X2, 2/1,2/2]- 
Various ways of finding the ideal Ir have been investigated, from Grobner 
bases to resultant computations (see [GHOO] and [GS05]). 

The ideal Ir can be used to test the action of endomorphisms on the r- 
torsion. For example, to check that tt'^ (or any other polynomial in tt) acts 
like a on the r-torsion, it suffices to check that in ¥p[xi,X2,yi,y2], 

t:^{D) = aD mod Ir- 

Even if the best method for computing the Ir is not yet completely well 
understood in practice, in theory this is likely the most efficient way to 
compute the action of endomorphisms on r-torsion. 

6.5. Computing the index through direct computation of the ac- 
tion of Frobenius on the torsion subgroups. In practice, we used a 
computational number theory software package like MAGMA to compute 
the group structure of J{C)i¥pk) for small values of k. Using the generators 
of J(C)(Fpfc) we then explicitly computed the action of Frobenius on vari- 
ous torsion subgroups to determine whether or not certain elements of the 
ring of integers arc endomorphisms. An example will be given in the next 
section. In the example we will use the following fact repeatedly: 

Fact 10. Let 7^ be a positive integer coprime to p. All the ^^-torsion is 
defined over F^fe if and only if is an endomorphism. 

Fact 10 follows immediately from Corollary 9. Note that it is not true 
in general that the field of definition of the r-torsion for all m is enough to 
determine the endomorphism ring. We found examples of curves where the 
field of definition of the r-torsion was the same for all r, but the endomor- 
phism rings were different because the action of Frobenius on the torsion 
subgroups was different. However, there are special cases where checking 
the field of definition of the torsion is enough: 
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Remark 5. In the case where Ok is generated by elements of the form 

k 1 

, for some collection of pairs of integers {k,jk), then equality of the 
endomorphism ring with Ok can be checked simply by checking the field of 
definition of the 'fk-torsion. 

7. Example 

Let K := Q(i\/l3-^3^7T3). In this example we will find the Igusa class 
polynomials of K modulo 43 by finding all genus 2 curves C defined over F43 
(up to isomorphism over the algebraic closure of F43) such that End( J(C)) = 
Ok, where Ok is the ring of integers of K. Let K* be the reflex of K. Since 

- b'^d = 2^ . 13, the extension K/Q is cyclic ([KW89, p. 88]), and hence 
K* = K ([Shi98, p. 65]). The real quadratic subfield of K is Kq := Q(Vl3). 
The prime 43 splits completely in = K* . The class number of is 2, 
and so since K is Galois, we expect two classes of curves over F43 with CM 
by K. Let rj := i\/l^- 3vT^- The ring of integers of K is 

„ \/l3 + l^ ,„ VT3+1„, 



Let (5 := (1 + Vl3)/2. The prime 43 factors in K/Kq as: 

43 = TT • 7f = (-3 + 2 • (5 + (-2 - (5) ?7) • (-3 + 2 • (5) + (2 + (5) r/). 

The characteristic polynomial of the Probenius element corresponding to tt 
is 

il){t) = 1849^4 + 344*3 _^ 5Q^2 _^ _^ 1, 

Let C be a curve over F43 whose Frobenius is ivr. Then the possibilities 
for (#C(F43),#J(C)(F43)) are (52,2252) and (36,1548). Using MAGMA 
we found (up to isomorphism over F43) 67 curves whose Frobenius is ±7r. 
However, not all 67 curves have endomorphism ring equal to the full ring 
of integers. To eliminate those with smaller endomorphism ring, we first 
observe that 



^ ^~ = -2 + 24^13 + y VlSiy 13 - 3^13 + —i\l 13 - 3^13 G Ok- 

Then Fact 10 implies that any curve whose endomorphism ring is the full 
ring of integers must have the full 12-torsion defined over FI3. We can check 
that this eliminates all but 6 of the 67 curves. The Igusa invariants of the 
remaining 6 curves are: 

(3, 24, 36), (4, 29, 28), (29, 24, 13), (20, 21, 29), (20, 23, 19), (36, 21, 6). 

We expect only 2 curves over F43 (up to isomorphism) with CM by K. To 
eliminate the other 4 curves from this list, it is enough in this case to check 
the action of Frobenius on the 4-torsion. By Corollary 9, (5 = ^^^^^ is an 
endomorphism of J{C) if and only if vr + 7f + 6 acts as zero on the 4-torsion, 
or equivalently, tt + 7f acts as multiplication-by-2 on the 4-torsion. 
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Consider a curve C with Igusa invariants (20, 23, 19) given by the equation 
C -.y^ = 5x^ + 21x^ + 36x^ + 7a;^ + 29x2 + 32x + 10 over F43. All the 4-torsion 
is defined over a degree 4 extension, and we can use MAGMA to compute 
a basis for the 4-torsion by computing the abelian group structure over the 
degree 4 extension. 

We can then compute that the action of Probenius on the 4-torsion is 
given in terms of some basis by the matrix F, and the action of 7f is given 
given by V: 



F = 



A 





1 











3 


1\ 


2 


1 


1 





V = 


2 


1 


3 








2 


3 


2 





2 


3 


2 


\2 


2 


2 


V 




^2 


2 


2 


3/ 



From this it is easy to see that tt + 7f = [2] on the 4-torsion, so 6 is an 
endomorphism of C. Performing the identical computation on a curve C 
with Igusa invariants (36,21,6), we find that 5 is also an endomorphism for 
this curve. Doing the same calculation for the remaining 4 triples of Igusa 
invariants (3, 24, 36), (4, 29, 28), (29, 24, 13), (20, 21, 29), we see that 7r + W = 
[2] does not hold on the 4-torsion in those cases, so S ^ End( J(C)) for any 
of the corresponding curves. 

It is easy to see in this case that S G End(J(C)) and ^^-j^ G End( J(C)) is 
enough to conclude that End(J(C)) = Ok- Hence the two triples of invari- 
ants corresponding to curves with CM by K are (36,21,6) and (20,23, 19). 
In conclusion, wc have obtained the three Igusa class polynomials modulo 
43 with our method: 

Hi^43iX) = + 30X + 32, 
H2A3{X) = + 10, 

Hs^siX) = x2 + 18A: + 28. 

These indeed agree modulo 43 with the class polynomials with rational coef- 
ficients computed by evaluating the quotients of Siegel modular forms with 
200 digits of precision as computed by van Wamelen ([vW99]): 



ff ( X\ — y"^ — 9625430292534239443768093859336546624656066801331680515511924 y , 
J^iy^) yL 1224160503138337270992732796402545210705949947 
17211893103548805144815938862454140808252633213039291208686119112918076788941674683411636004 
58670687646017062528338814934164161420328368922180746779053222569 ■ 
TT (Y\ — Y'^ — 3237631624959669936998571242515324335027260 y , 
n2\^)—y^ 7973132502458523379282597629 
101869481833026643236326057638275086345512388711354393815337676100 
387742378329008606934824201506984053723129 ' 
ff ( Y\ — Y'^ — 2511631949170772694805531862232571975071932 y , 
J^3\^ ) ^ 23919397507375570137847792887 
83671593583457548222292142563905819629154823011540406083420061764 
3489681404961077462413417813562856483508161 
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